VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2010· Updated Apr 29, 2026

CVE-2010-1647

CVE-2010-1647

Description

Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in MediaWiki 1.15.x and 1.16 beta allows attackers to inject arbitrary script via crafted CSS strings that Internet Explorer misparses.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in MediaWiki versions 1.15 before 1.15.4 and 1.16 before 1.16 beta 3. The flaw resides in the CSS sanitization logic, which fails to account for differences in how Internet Explorer parses CSS escape sequences. Specifically, MediaWiki treats certain escape sequences (e.g., \72 followed by a non-ASCII whitespace character like U+3000) as safe, while Internet Explorer decodes them into executable JavaScript via the expression() function [1][2].

Exploitation

An attacker can craft a CSS string containing specially crafted hexadecimal escape sequences that are interpreted differently by Internet Explorer compared to MediaWiki's filter. The attacker does not require authentication and can inject the malicious CSS through any input that accepts CSS, such as user-contributed styles or page content. The attack only affects users browsing the wiki with Internet Explorer (confirmed on IE 6 and 8) [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other client-side attacks, potentially compromising the victim's account or sensitive data [1].

Mitigation

Upgrade to MediaWiki 1.15.4 or 1.16 beta 3, released on May 28, 2010. The fix normalizes CSS escape sequences to a form that is consistently parsed by both compliant browsers and Internet Explorer, preventing the injection vector. No workaround is available for unpatched versions [1][2].

References
  1. [MediaWiki-announce] MediaWiki security update: 1.15.4 and 1.16.0beta3
  2. T25687 Differences in CSS escape sequence parsing lead to XSS on IE

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • MediaWiki/Mediawiki9 versions
    cpe:2.3:a:mediawiki:mediawiki:1.15.0:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:mediawiki:mediawiki:1.15.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.15.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.15.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.15.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.15.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.16.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.16.0:beta2:*:*:*:*:*:*
    • (no CPE)range: >=1.15 <1.15.4, >=1.16 <1.16 beta 3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.